suricata
decode-erspan.c
Go to the documentation of this file.
1 /* Copyright (C) 2020 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \ingroup decode
20  *
21  * @{
22  */
23 
24 
25 /**
26  * \file
27  *
28  * \author Victor Julien <victor@inliniac.net>
29  *
30  * Decodes ERSPAN Types I and II
31  */
32 
33 #include "suricata-common.h"
34 #include "suricata.h"
35 #include "decode.h"
36 #include "decode-events.h"
37 #include "decode-erspan.h"
38 
39 #include "util-unittest.h"
40 #include "util-debug.h"
41 
42 /**
43  * \brief Functions to decode ERSPAN Type I and II packets
44  */
45 
46 /*
47  * \brief ERSPAN Type I was configurable in 5.0.x but is no longer configurable.
48  *
49  * Issue a warning if a configuration setting is found.
50  */
51 void DecodeERSPANConfig(void)
52 {
53  int enabled = 0;
54  if (ConfGetBool("decoder.erspan.typeI.enabled", &enabled) == 1) {
55  SCLogWarning(SC_WARN_ERSPAN_CONFIG,
56  "ERSPAN Type I is no longer configurable and it is always"
57  " enabled; ignoring configuration setting.");
58  }
59 }
60 
61 /**
62  * \brief ERSPAN Type I
63  */
64 int DecodeERSPANTypeI(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
65  const uint8_t *pkt, uint32_t len)
66 {
67  StatsIncr(tv, dtv->counter_erspan);
68 
69  return DecodeEthernet(tv, dtv, p, pkt, len);
70 }
71 
72 /**
73  * \brief ERSPAN Type II
74  */
75 int DecodeERSPAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
76 {
77  StatsIncr(tv, dtv->counter_erspan);
78 
79  if (len < sizeof(ErspanHdr)) {
80  ENGINE_SET_EVENT(p,ERSPAN_HEADER_TOO_SMALL);
81  return TM_ECODE_FAILED;
82  }
83 
84  const ErspanHdr *ehdr = (const ErspanHdr *)pkt;
85  uint16_t version = SCNtohs(ehdr->ver_vlan) >> 12;
86  uint16_t vlan_id = SCNtohs(ehdr->ver_vlan) & 0x0fff;
87 
88  SCLogDebug("ERSPAN: version %u vlan %u", version, vlan_id);
89 
90  /* only v1 is tested at this time */
91  if (version != 1) {
92  ENGINE_SET_EVENT(p,ERSPAN_UNSUPPORTED_VERSION);
93  return TM_ECODE_FAILED;
94  }
95 
96  if (vlan_id > 0) {
97  if (p->vlan_idx >= 2) {
98  ENGINE_SET_EVENT(p,ERSPAN_TOO_MANY_VLAN_LAYERS);
99  return TM_ECODE_FAILED;
100  }
101  p->vlan_id[p->vlan_idx] = vlan_id;
102  p->vlan_idx++;
103  }
104 
105  return DecodeEthernet(tv, dtv, p, pkt + sizeof(ErspanHdr), len - sizeof(ErspanHdr));
106 }
107 
108 /**
109  * @}
110  */
ENGINE_SET_EVENT
#define ENGINE_SET_EVENT(p, e)
Definition: decode.h:1003
len
uint8_t len
Definition: app-layer-dnp3.h:2
decode-erspan.h
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:169
DecodeERSPAN
int DecodeERSPAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
ERSPAN Type II.
Definition: decode-erspan.c:75
Packet_::vlan_id
uint16_t vlan_id[2]
Definition: decode.h:441
ConfGetBool
int ConfGetBool(const char *name, int *val)
Retrieve a configuration value as an boolen.
Definition: conf.c:516
DecodeERSPANConfig
void DecodeERSPANConfig(void)
Functions to decode ERSPAN Type I and II packets.
Definition: decode-erspan.c:51
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:298
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:442
DecodeThreadVars_::counter_erspan
uint16_t counter_erspan
Definition: decode.h:670
SC_WARN_ERSPAN_CONFIG
@ SC_WARN_ERSPAN_CONFIG
Definition: util-error.h:362
ERSPAN_UNSUPPORTED_VERSION
@ ERSPAN_UNSUPPORTED_VERSION
Definition: decode-events.h:194
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:81
util-unittest.h
decode.h
util-debug.h
DecodeERSPANTypeI
int DecodeERSPANTypeI(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
ERSPAN Type I.
Definition: decode-erspan.c:64
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
Packet_
Definition: decode.h:414
ERSPAN_TOO_MANY_VLAN_LAYERS
@ ERSPAN_TOO_MANY_VLAN_LAYERS
Definition: decode-events.h:195
decode-events.h
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:30
SCNtohs
#define SCNtohs(x)
Definition: suricata-common.h:398
suricata-common.h
version
uint8_t version
Definition: decode-gre.h:1
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
SCLogWarning
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:244
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:631
suricata.h
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:41
ERSPAN_HEADER_TOO_SMALL
@ ERSPAN_HEADER_TOO_SMALL
Definition: decode-events.h:193